Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Pwnie Express is a cute name for this tiny (and easily hidden) group of Pen Test devices. Their website says, 'Our initial hardware offering, the Pwn Plug, is the first-to-market commercial penetration testing drop box platform. This low-cost plug-and-play device is designed for remote security testing of corporate facilities, including branch offices and retail locations. A security professional or service provider can ship this device to a corporate facility and conduct a security test over the Internet without travel expenses.' Hardware buffs will recognize this unit as a SheevaPlug, but the value-add is that it's preloaded with Ubuntu Linux and and a rich suite of intrusion/testing tools. The company's 'Founder and CEO and everything else' is Dave Porcello. The video is an interview with Dave, in which he shows off and demonstrates some Pwnie Express products.

And there is an even older trick: Take ye-jailbroken-smartphone of choice (a cheap prepaid Android is probably the best). Put it in a box with a big-ol-battery, and mail it to your target. From within the mailroom, you now can attack any WiFi network or Bluetooth device in the vicinity, and you have a cellular data connection to exfiltrate all you want.

Internal would be cooler, I agree, but (sorry, it didn't make the video), the Pwnie Express works with both Wi-Fi and 3G dongles. (Not as stealthy, but this is already big enough it wouldn't exactly disappear without camouflage anyhow;))

In some states, possession of tools for picking locks or breaking into cars is illegal. Sure, they can have legitimate uses, but at some point government decided that the potential illegal uses far outweighed the legal uses and subsequently outlawed them

Now look at this device. Seemingly innocent with a legitimate purpose, but apparently a perfect platform for more nefarious use.

So I pose the question: At what point should possession a device like this or derivatives be considered to be a defacto indication of intention to illegally break into a network? Should it ever be considered that?

If not, what additional software or form factor enhancements would change your mind?

The problem is that this needs to be plugged in physically. So you would need a patsy to plug it in or physical access. On the other hand by your thinking since I can carry a usb stick with the same toolset it should be illegal as well, but since usb sticks have legitimate uses they are allowed, how would one know it was a nefarious hacking tool, without violating my privacy by asking me to expose the data it contained?

Slimjims and lockpick sets are not as easily dismissed as innocuous. I do see your parallel.

Context, as in the role of those possessing lock-picks and slim-jims, is everything. The locksmith or the tow-truck driver (whom AAA sends when I lock my keys in the car), has a perfectly legit reason to carry those tools. Same goes for things like nmap or nikto.

At what point should possession a device like this or derivatives be considered to be a defacto indication of intention to illegally break into a network?

The moment it is actually used to illegally break into a network, and never before it happens. Devices themselves have no intent and therefore cannot be "evil" until put to an "evil" use. If you have permission to do testing, using a device like this can be a great tool.

So I pose the question: At what point should possession a device like this or derivatives be considered to be a defacto indication of intention to illegally break into a network?

When a crime is committed. Until then, no laws have been broken. As much as our government would like to think that they can prevent crimes by banning items that could be used in a crime, until a crime is committed they are infringing on the rights of the Americans in question.

I know that's not how it works in real life. I understand (although disagree) with that line of thinking...I'm just one of those that believes that until a crime is committed, you don't have a criminal.

Yeah, well, if the world were mine to control it would be a vastly different place. There are a whole lot of people that could benefit from understanding the difference between a criminal act and an object, but obviously our Public School system is failing in the areas of logic and reason (among others).

I have them on my house. Most businesses have them outside their doors. How easy would it be to just walk up to a building you want to crack....how many banks have wifi that touches the "real" network?
How many of those have outlets in the lobby area or on the exterior of the building that's close enough for wifi?
The potential for bad is far greater than for good...the thing should at least be required to make a beeping noise every couple minutes...

The MiniPwner is a similar device built on a TP Link TL-Wr703N router, so you can build one for under $40. http://www.minipwner.com/ [minipwner.com]

Also Hak5 has had their Wifi Pineapple available for a few years that is similar, however their MarkIV version which should come out really soon I think will trump both the Pwnie Express and the MiniPwner. http://hakshop.myshopify.com/products/wifi-pineapple [myshopify.com]